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WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 
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DETAILED ACTION 



1. 



This action is in reply to applicant's correspondence of 22 January 2004. 



2. 



Claims 1-22 are pending for examination. 



3. 



Claims 1-21 are rejected. 



Claim Rejections - 35 USC § 102 



The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 



4. Claims 1-21 are rejected under 35 U.S.C. 102(b) as being anticipated by Arnold et al, 
U.S. Patent No. 6,98 1 ,279 B 1 . 

5. As per claim 1 ; "A method comprising: 
emulating a SMTP client application comprising 

generating at least 



one SMTP client application dirty page [Abstract, figures 1-4 and 
associated descriptions, col 9Jines 46'Col 12Jine 64, whereas the method for 
dynamically analyzing software, (inclusive of worm-like behavior of SMTP client 
applications) such that said software can be executed in a real (i.e., 
generated/loaded) or emulated (i.e., dirty page state) network environment, 
clearly encompasses the claimed limitations as broadly interpreted by the 
examinerj; 
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emulating an executable application sent from 
said SMTP client application comprising 
generating at least 

one executable application dirty page [Abstract, figures 1-4 and 
associated descriptions, col 9, lines 46'Col 12, line 64, whereas the 
method for dynamically analyzing software, (inclusive of worm-like 
behavior of executable applications) such that said software can be 
executed in a real (i.e., generated/loaded) or emulated (i.e,, dirty page 
state) network environment, clearly encompasses the claimed limitations 
as broadly interpreted by the examiner.]; and 
determining whether said at least one SMTP client application dirty page 
is a match of 

said at least one executable application dirty page [Abstract, figures 1-4 
and associated descriptions, col 9,lines 46'Col 12, line 64, whereas the aspect of 
dynamically analyzing software, (inclusive of comparison of real/emulated 
environments), dearly encompasses the claimed limitations as broadly 
interpreted by the examiner J. ^\ 

As per claim 21, this claim is the embodied software claim for the method claim 1 above, 
and is rejected for the same reasons provided for the claim 1 rejection; "A computer program 
product comprising 

a polymorphic worm blocking application. 



Application/Control Number: 10/763,731 Page 4 

Art Unit: 2136 

said polymorphic worm blocking application for: 

emulating a SMTP client application comprising 
generating at least 

one SMTP client application dirty page; 
emulating an executable application sent from 
said SMTP client application comprising 
generating.at least 

one executable application dirty page; and 
determining whether said at least one SMTP client application dirty page 
is a match of 

said at least one executable application dirty page." 

6. Claim 2 additionally recites the limitations that; "The method of claim 1 further 
comprising 

establishing a SMTP proxy, 

wherein said SMTP client application 

forms a cormection with said SMTP proxy.". 
The teachings of Arnold et al (Abstract, figures 1-4 and associated descriptions, col. 9,lines 46- 
col. 12,line 64, whereas the method for dynamically analyzing software, (inclusive of worm-like 
behavior of SMTP client applications) such that said software can be executed in a real (i.e., 
generated, loaded, connectivity established to associated network 

components/proxies/applications) or emulated (i.e., dirty page state) network environment, 
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clearly encompasses the claimed limitations as broadly interpreted by the examiner.) suggest 
such limitations. 

7. Claim 3 additionally recites the limitations that; "The method of claim 1 further 
comprising 

determining whether SMTP client application dirty pages 
were generated during 

said emulating a SMTP client application, 
said SMTP client application dirty pages comprising 

said at least one SMTP client application dirty page.". 
The teachings of Arnold et al (Abstract, figures 1-4 and associated descriptions, col. 9,lines 46- 
col. 12,line 64, whereas the method for dynamically analyzing software, (inclusive of worm-like 
behavior of SMTP client applications) such that said software can be executed in a real (i.e., 
generated, loaded, coimectivity established to associated network 

components/proxies/applications) or emulated (i.e., dirty page state) network environment, 
clearly encompasses the claimed lirnitations as broadly interpreted by the examiner.) suggest 
such limitations. 

8. Claim 4 additionally recites the limitations that; "The method of claim 3 further 
comprising 

saving a state of said SMTP client application upon 
a determination that 
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said SMTP client application dirty pages were generated 
during said emulating a SMTP client application.". 
The teachings of Arnold et al (Abstract, figures 1-4 and associated descriptions, col. 9,Iines 46- 
col. 12,line 64, whereas the method for dynamically analyzing software, (inclusive of worm-like 
behavior of SMTP client applications and the state saved inherently) such that said software can 
be executed in a real (i.e., generated, loaded, connectivity established to associated network 
components/proxies/applications) or emulated (i.e., dirty page state) network environment, 
clearly encompasses the claimed limitations as broadly interpreted by the examiner.) suggest 
such limitations. 

9. Claim 5 additionally recites the limitations that; "The method of claim 1 wherein 
said SMTP client application sends data comprising 
said executable application.". 
The teachings of Arnold et al (Abstract, figures 1-4 and associated descriptions, col. 9,lines 46- 
col. 12,line 64, whereas the method for dynamically analyzing software, (inclusive of worm-like 
behavior of SMTP client applications and associated sending data related to the applications 
fimctionality) such that said software can be executed in a real (i.e., generated, loaded, 
connectivity established to associated network components/proxies/applications) or emulated 
(i.e., dirty page state) network environment, clearly encompasses the claimed limitations as 
broadly interpreted by the examiner.) suggest such limitations. 
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10. Claim 6 additionally recites the limitations that; "The method of claim 5 further 
comprising 

decomposing said data.". 
The teachings of Arnold et al (Abstract, figures 1-4 and associated descriptions, col. 9,lines 46- 
col. 12,line 64, whereas the method for dynamically analyzing software, (i.e., SMTP client 
applications and associated sending data related to the applications functionality, inclusive of 
(i.e., the parsing of email headers) decomposing said data) such that said software can be 
executed in a real (i.e., generated, loaded, connectivity established to associated network 
components/proxies/applications) or emulated (i.e., dirty page state) network environment, 
clearly encompasses the claimed limitations as broadly interpreted by the examiner.) suggest 
such limitations. 

1 1 . Claim 7 additionally recites the limitations that; "The method of claim 5 fiirther 
comprising 

determining whether said data comprises 
executable content.". 

The teachings of Arnold et al (Abstract, figures 1-4 and associated descriptions, col. 9,lines 46- 
col. 12,line 64, whereas the method for dynamically analyzing software, (i.e., SMTP client 
applications and associated sending data related to the applications ftinctionality, inclusive of 
executable components, objects, etc.,) such that said software can be executed in a real (i.e., 
generated, loaded, connectivity established to associated network 

components/proxies/applications) or emulated (i.e., dirty page state) network environment. 
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clearly encompasses the claimed limitations as broadly interpreted by the examiner.) suggest 
such limitations. 

12. Claim 8 additionally recites the limitations that; "The method of claim 5 further 
comprising 

establishing a SMTP proxy, 
wherein said data 
is 

intercepted and 
stalled 
by said SMTP proxy.". 

The teachings of Arnold et al (Abstract, figures 1-4 and associated descriptions, col. 9,lines 46- 
col. 12,line 64, whereas the method for dynamically analyzing software, (i.e., SMTP client 
applications and associated sending data related to the applications functionality, inclusive of 
emulated proxy components) such that said software can be executed in a real (i.e., generated, 
loaded, connectivity established to associated network components/proxies/applications) or 
emulated (i.e., and analysis aspects such as interception and stalling upon predetermined criteria) 
network environment, clearly encompasses the claimed limitations as broadly interpreted by the 
examiner.) suggest such limitations. 

13. Claim 9 additionally recites the limitations that; "The method of claim 5 further 
comprising 
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stalling said. data.". 

The teachings of Arnold et al (Abstract, figures 1-4 and associated descriptions, col. 9,lines 46- 
col. 12,line 64, whereas the method for dynamically analyzing software, (i.e., SMTP client 
applications and associated sending data related to the applications functionality, inclusive of 
emulated proxy components) such that said software can be executed in a real (i.e., generated, 
loaded, connectivity established to associated network components/proxies/applications) or 
emulated (i.e., and analysis aspects such as interception and stalling upon predetermined criteria) 
network environment, clearly encompasses the claimed limitations as broadly interpreted by the 
examiner.) suggest such limitations. 

14. Claim 10 additionally recites the limitations that; "The method of claim 9 wherein 
upon a determination that 

said at least one SMTP client application dirty page 
is not a match of 

said at least one executable application dirty page, 
said method fiirther comprising 

allowing said data to proceed.". 
The teachings of Amold et al (Abstract, figures 1-4 and associated descriptions, col. 9,lines 46- 
col. 12,line 64, whereas the method for dynamically analyzing software, (i.e., SMTP client 
applications and associated sending data related to the applications fimctionality, inclusive of 
emulated proxy components) such that said software can be executed in a real (i.e., generated, 
loaded, connectivity established to associated network components/proxies/applications) or 
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emulated (i.e., and analysis aspects such as interception and stalling upon predetermined criteria, 
or not interfering with emulated execution) network environment, clearly encompasses the 
claimed limitations as broadly interpreted by the examiner.) suggest such limitations. 

15. Claim 1 1 additionally recites the limitations that; "The method of claim 9 wherein 
upon a determination that 

said at least one SMTP client application dirty page 
is a match of 

said at least one executable application dirty page, 
said method further comprising 

taking protective action to protect a computer system.". 
The teachings of Arnold et al (Abstract, figures 1-4 and associated descriptions, col. 9,lines 46- 
col. 12,line 64, whereas the method for dynamically analyzing software, (i.e., SMTP client 
applications and associated sending data related to the applications functionality, inclusive of 
emulated proxy components) such that said software can be executed in a real (i.e., generated, 
loaded, connectivity established to associated network components/proxies/applications) or 
emulated (i.e., and analysis aspects such as interception and stalling upon predetermined criteria, 
with associated notification/protective action) network environment, clearly encompasses the 
claimed limitations as broadly interpreted by the exaniiner.) suggest such limitations. 

16. Claim 12 additionally recites the limitations that; "The method of claim 1 1 further 
comprising 
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determining that said match 

is not a known false positive 

. prior to said taking protective action.". 
The teachings of Arnold et al (Abstract, figures 1-4 and associated descriptions, col. 9,lines 46- 
col. 12,line 64, whereas the method for dynamically analyzing software, (i.e., SMTP client 
applications and associated sending data related to the applications functionality, inclusive of 
emulated proxy components) such that said software can be executed in a real (i.e., generated, 
loaded, connectivity established to associated network components/proxies/applications) or 
emulated (i.e., and analysis aspects such as interception and stalling upon predetermined criteria, 
with associated notification/protective or 'optimistic' host, server actions) network environment, 
clearly encompasses the claimed limitations as broadly interpreted by the examiner.) suggest 
such limitations. 

17. Claim 13 additionally recites the limitations that; "The method of claim 1 1 fiirther 
comprising 

providing a notification of said protective action.". 
The teachings of Arnold et al (Abstract, figures 1-4 and associated descriptions, col. 9,lines 46- 
col. 12,line 64, whereas the method for dynamically analyzing software, (i.e., SMTP client 
applications and associated sending data related to the applications fimctionality, inclusive of 
emulated proxy components) such that said software can be executed in a real (i.e., generated, 
loaded, connectivity established to associated network components/proxies/applications) or 
emulated (i.e., and analysis aspects such as interception and stalling upon predetermined criteria. 
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with associated notification/protective or 'optimistic' host, server actions) network environment, 
clearly encompasses the claimed limitations as broadly interpreted by the examiner.) suggest 
such limitations. 

1 8. Claim 14 additionally recites the limitations that; "The method of claim 5 further 
comprising 

determining whether said data comprises 

executable applications that 

have not been emulated.". 

The teachings of Arnold et al (Abstract, figures 1-4 and associated descriptions, col. 9,Iines 46- 

col. 12,line 64, whereas the method for dynamically analyzing software, (inclusive of worm-like 

behavior of SMTP client applications and associated sending data related to the applications 

» 

functionality, emulated or not) such that said software can be executed in a real (i.e., generated, 
loaded, connectivity established to associated network components/proxies/applications) or 
emulated (i.e., dirty page state) network environment, clearly encompasses the claimed 
limitations as broadly interpreted by the examiner.) suggest such limitations. 

19. Claim 15 additionally recites the limitations that; "The method of claim 14 wherein 
upon a determination that 

said data does comprised 

executable applications that have not been emulated, 
said method further comprising 
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selecting a next executable application for emulation.". 
The teachings of Arnold et al (Abstract, figures 1-4 and associated descriptions, col. 9,lines 46- 
col* 12,line 64, whereas the method for dynamically analyzing software, (inclusive of worm-Hke 
behavior of SMTP client applications and associated sending data related to the applications 
functionality, emulated or not, where the process is clearly iterative and continues to a next 'next 
executable application for emulation') such that said software can be executed in a real (i.e., 
generated, loaded, connectivity established to associated network 

components/proxies/applications) or emulated (i.e., dirty page state) network environment, 
clearly encompasses the claimed limitations as broadly interpreted by the examiner.) suggest 
such limitations. 

20. Claim 16 additionally recites the limitations that; "The method of claim 15 fiirther 
comprising 

emulating said next executable application.". 
The teachings of Amold et al (Abstract, figures 1-4 and associated descriptions, col. 9,lines 46- 
col. 12,line 64, whereas the method for dynamically analyzing software, (inclusive of worm-like 
behavior of SMTP client applications and associated sending data related to the applications 
fimctionality, emulated or not, where the process is clearly iterative and continues to a next 'next 
executable application for emulation') such that said software can be executed in a real (i.e., 
generated, loaded, connectivity established to associated network 

components/proxies/applications) or emulated (i.e., dirty page state) network environment. 
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clearly encompasses the claimed limitations as broadly interpreted by the examiner.) suggest, 
such limitations. 

21 . Claim 1 7 additionally recites the limitations that; "The method of claim 1 further 
comprising 

determining whether executable application dirty pages 
were generated during 

said emulating an executable application, 
said executable application dirty pages comprising 

said at least one executable application dirty page.". 
The teachings of Arnold et al (Abstract, figures 1-4 and associated descriptions, col. 9,lines 46- 
col. 12,line 64, whereas the method for dynamically analyzing software, (inclusive of worm-like 
behavior of executable applications) such that said software can be executed in a real (i.e., 
generated, loaded, connectivity established to associated network 
components/proxies/applications) or emulated (i.e., dirty page state) network environment, 
clearly encompasses the claimed limitations as broadly interpreted by the examiner.) suggest 
such limitations. 

22. Claim 18 additionally recites the limitations that; "The method of claim 1 wherein 
said SMTP client application is 

a polymorphic malicious code.". 
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The teachings of Arnold et al (Abstract, figures 1-4 and associated descriptions, col. 9,lines 46- 
col. 12,line 64, whereas the method for dynamically analyzing software, (inclusive of worm-like 
(i.e., 'polymorphic malicious code') behavior of SMTP client applications) such that said 
software can be executed in a real (i.e., generated, loaded, connectivity established to associated 
network components/proxies/applications) or emulated (i.e., dirty page state) network 
environment, clearly encompasses the claimed limitations as broadly interpreted by the 
examiner.) suggest such limitations. 

23, As per claim 19; "A method comprising: 

emulating a SMTP client application [Abstract, figures 1-4 and associated descriptions, 
col 9Jines 46-col 12Jine 64, whereas the method for dynamically analyzing software, (inclusive 
of worm-like behavior of executable applications) such that said software can be executed in a 
real (i.e,, generated/loaded) or emulated (7.e,, dirty page state) network environment, clearly 
encompasses the claimed limitations as broadly interpreted by the examiner J\ 
determining whether SMTP client application dirty pages 
were generated during 

said emulating a SMTP client application [Abstract, figures 1-4 and 
associated descriptions, col 9,lines 46-col 12, line 64, whereas the method for 
dynamically analyzing software, (inclusive of worm-like behavior of executable 
applications) such that said software can be executed in a real (le., 
generated/loaded) or emulated (le„ dirty page state) network environment, 
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clearly encompasses the claimed limitations as broadly interpreted by the 

examiner]; 
excluding said SMTP client application as 

a polymorphic malicious code upon 

a determination that said SMTP client application dirty pages 

were not generated [Abstract, figures 1-4 and associated 
descriptions, col 9Jines 46-coL 12Jine 64, whereas the method for 
dynamically analyzing software, (inclusive of worm-like behavior of 
executable applications) such that said software can be executed in a real 
(i.e., generated, loaded, connectivity established to associated network 
components/proxies/applications) or emulated (i.e., dirty page state) 
network environment, clearly encompasses the claimed limitations as 
broadly interpreted by the examiner.]; and 
saving a state of said SMTP client application 

upon a determination that. 

said SMTP client application dirty pages 

were generated [Abstract, figures 1-4 and associated descriptions, 
col. 9, lines 46-col. 12, line 64, whereas the method for dynamically 
analyzing software, (inclusive of worm-like behavior of SMTP client 
applications and the state saved inherently) such that said software can be 
executed in a real (i.e., generated, loaded, connectivity established to 
associated network components/proxies/applications) or emulated (i. e., 
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dirty page state) network environment, clearly encompasses the claimed 
limitations as broadly interpreted by the examiner,]'': 

24. Claim 20 additionally recites the limitations that; "The method of claim 19 further 
comprising: 

stalling data from 

said SMTP client application; 
determining whether 

said SMTP client application is 

excluded as said polymorphic malicious code; and 
allowing said data to proceed upon 
a determination that 

said SMTP client application is excluded.". 
The teachings of Arnold et al (Abstract, figures 1-4 and associated descriptions, col. 9,lines 46- 
col. 12,line 64, whereas the method for dynamically analyzing software, (i.e., SMTP client ^ 
applications and associated sending data related to the applications functionality, inclusive of 
emulated proxy components) such that said software can be executed in a real (i.e., generated, 
loaded, connectivity established to associated network components/proxies/applications) or 
emulated (i.e., and analysis aspects such as interception and stalling upon predetermined criteria) 
network enviroimient, clearly encompasses the claimed limitations as broadly interpreted by the 
examiner.) suggest such limitations. 
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Allowable Subject Matter 

25. Claim 22 is allowed over prior art. 

26. As per claim 22; "A method comprising: 
establishing a SMTP proxy; 

defining an application that forms 

a connection with said SMTP proxy as 
a SMTP client application; 
decrypting said SMTP client application; 
intercepting an executable application sent from 

said SMTP client application with 
said SMTP proxy; 
decrypting said executable application; and 
determining whether 

said SMTP client application when decrypted is the same as 

said executable application when decrypted.". 
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Conclusion 

27. Any inquiry concerning this communication or earlier conmiunications from examiner 
should be directed to Ronald Baum, whose telephone number is (571) 272-3861, and whose 
unofficial Fax number is (571) 273-3861 and unofficial email is Ronald.baum@uspto.gov. The 
examiner can normally be reached Monday through Thursday from 8:00 AM to 5:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami, can be reached at (571) 272-4195. The Fax niunber for the 
organization where this application is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. For more information for 
unpublished applications is available through Private PAIR only. For more information about the 
PAIR system, see http://pair-direct.uspto.gov . Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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